CyberWarfare / ExoWarfare

Under the Hoodie 2018: Lessons from a Season of Penetration Testing

Executive Summary

This paper presents the results of 268 engagements (251 of which involved live, production network tests), conducted from early September of 2017 through mid-June of 2018. Fifty-nine percent of all penetration tests performed in the survey period were externally based, where the targets tend to be internet-facing vectors such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure. External penetration tests make sense for most organizations, given the preponderance of internet-based attackers. However, we always advocate for a penetration test that includes an internal component in order to understand the impact of a compromise and to quantify the gaps in an organization’s defense-in depth strategy.

The three broad categories of compromise Rapid7 penetration testers pursue are software vulnerabilities, network misconfigurations, and network credentials. We found:

  • Overall, Rapid7 penetration testers were able to exploit at least one in-production vulnerability in 84% of all engagements. That figure rises to 96% of all internally-based penetration tests.
  • In a similar vein, penetration testers were able to abuse at least one network misconfiguration at a slightly lower rate of 80%, but among internal assessments, a misconfiguration was leveraged in the investigator’s favor 96% of the time.
  • Finally, at least one credential was captured in 53% of all engagements, and 86% of the time when looking purely at internal engagements.

Back rooms. Black metal. Two shadowy figures furiously hacking away on the same keyboard at the same time. Thanks to its seemingly sinister objective – breaking into enterprise networks – penetration testing is often considered a dark art. But people just need to get to know it better.

We first launched “Under the Hoodie” in 2017 to demystify the practice of penetration testing by surveying those in the field on what they see during client engagements — all to determine countermeasures you can take to best detect and prevent the truly sinister folks from breaching your network. We’ve renewed this approach in 2018 to continue providing visibility into this often occult niche of information security.

To dive into this year’s findings, read the executive summary and the full report, register for the webcast, and check out the pen tester video testimonials below.



The Report for download:

Local PDF copy: